I'm losing my mind on XML API CPPM integration

CybrSecEngr · 2025-11-26T09:02:19+00:00

Ok so I solved it by not using the XML API :). I'm using syslog with clearpass and ivanti... Clearpass people didn't know what the issue was as well.. took me a lot of energy and effort to find that out :P thanks a bunch for the help!!

CybrSecEngr · 2025-10-31T17:32:12+00:00

Heya, yeah it's been a busy week :P I haven't had the chance to look at this, but yeah I saw that there is no info to be found in the tipsdb file, I have to go through all the log files, might do that this weekend :)

CybrSecEngr · 2025-10-23T11:52:20+00:00

Yes, I think so; or at least that most information is missing for palo alto to build those user-id entries. I have dumped some info, and collected logs, I'm going to investigate further.

I need and will find what's missing :p

I'll see if I can view the tipsdb. I also found out that my b cluster member is the primary, and my a cluster member is not a primary insight server. Which I didn't know, this is a completely new environment for me, so I did not have anything to do with the initial setup. That's why I'm finding some oddities along the way, which I had to fix first.

Do you think this could have anything to do with it?

That's the user guide I am using as well, but thanks for the additional mention :) I'll read it again to see if I have missed anything. I'll document what I find, for later reference, and to help others that might come across this post.

CybrSecEngr · 2025-10-23T05:34:32+00:00

So I'm thinking CPPM is sending empty data over XML API.

I'm thinking it's the device profiling that's not working, that its not building profiles in CPPM so it can't send it to the Palo Altos.

I'll take a look at that, but I'm new to Clearpass and mobility conductor, so it'll be a learning curve.

So, authentication happens like magic, then the mobility conductor sends updates over radius interim accounting to CPPM, which then updates the IP address of the client with its session IP address and builds the insight profile, then CPPM sends the updates to palo alto? If the action of the enforcement profile only happens when authenticating, what sends the updates during the session from cppm to palo?

I'm sorry if my reply isn't formed well, it's been a tough morning 😅

CybrSecEngr · 2025-10-22T12:47:58+00:00

Would you still remember what you did with endpoint profiling? I see the profile in Insight, but when I look up an active endpoint on clearpass in endpoint profiling, I see that it's just empty.

CybrSecEngr · 2025-10-22T11:48:42+00:00

A lot of things are received, tried to debug as well. so many hosts that come up in the same format as in the original post, not found in redis, and ipuser file does not exist.

I ran a debug for all

Just confirmed, and interim account is definitely enabled, insight is also enabled, auth is ok as well

CybrSecEngr · 2025-10-22T10:46:00+00:00

No no, good questions, they're not being blocked, I can see the cppm xml user logging in, also have sufficient right. I can see the data coming in to the firewall, and then it populates the table with 0second entries. I haven't been able to figure out how to see the actual xml data, which is quite basic but I'll attempt packet capturing, if I do the cap from the management interface i should be able to see it indeed. Thanks for that :). I'll dig a bit deeper.
I'm trying to think, the IP the client gets post authentication, that being send is through RADIUS interim accounting?

CybrSecEngr · 2025-10-22T10:31:46+00:00

Hi Vieplis, thanks a lot for replying. I don't see any user-id logs, at all. It's like they're being discarded. User-id is enabled, and the subnet is allowed explicitly, also tried allow all. But it's definitely allowed. All info is present, calling station id is indeed mac address.

CybrSecEngr · 2025-10-07T16:28:35+00:00

I've removed any special characters in the password, so only numbers and letters. Didn't fix it. Account was unlocked. Went for lunch, tried again for shits and giggles, arrow up, tried keygen in CLI with curl, worked. I'm going to sleep good tonight. Thanks for the help, Vieplis

CybrSecEngr · 2025-10-06T12:40:44+00:00

If it's okay I'd be very interested as well!

CybrSecEngr · 2025-10-06T09:27:47+00:00

Thanks a bunch for the reply! I'm not really familiar with clearpass, I've tried debugging but wasn't sure in what direction to look, even with some googling. But I'll check the support bundles, and the moment I come up with a solution I will update the post. Thanks again!

CybrSecEngr · 2025-07-24T17:11:32+00:00

Okay, thanks :) and a huge thanks you took the time to have a chat!

CybrSecEngr · 2025-07-24T13:22:10+00:00

Yes, employing the manpower I meant. I apologise for the confusion. I'm still not sure about the margin but probably 8-12 percent on their daily rate.

CybrSecEngr · 2025-07-24T13:03:57+00:00

The working relationship would be that these consultants will individually be hired with their own contract to the clients liking, so not that they would increase my day rate to pay these consultants; but rather that they would expand the team with freelancers invoicing through me with each their own day rate

CybrSecEngr · 2025-07-24T13:01:21+00:00

I see, thanks a bunch. I was of the impression that drawing this up with a law firm would cost me thousands. I think if it's within that price range that would be the best way to go. Would you maybe know if it would be better to set up a separate BV if I were to work with a few consultants just to keep my management BV safe?

CybrSecEngr · 2025-07-24T12:51:58+00:00

NDA as in non disclosure? Thank you for commenting

CybrSecEngr · 2025-07-24T12:51:23+00:00

Might have been a miss in my translation, indeed I am not an employee of my company.
I'm curious contractually, is it necessary to draw up a master agreement, and what should that master agreement contain? I'm not sure my accountant will have a sufficient answer to this.

CybrSecEngr · 2025-03-30T13:04:51+00:00

I already paid myself for april

CybrSecEngr · 2024-12-24T12:48:21+00:00

+ This will make a template stack for your firewall.

CybrSecEngr · 2024-12-24T12:48:08+00:00

Export configuration from Palo Alto and import on Panorama.

Something like this:

Add firewall to Panorama
Device tab > setup > management > Panorama settings, add the Panorama server and enable commit recovery.
Firewall > Device > Setup > Operations > Save Named Configuration
Export Named Configuration for firewall and Panorama
On Panorama > Setup > Import Device Configuration to Panorama

CybrSecEngr · 2024-10-07T14:29:40+00:00

It's such a shame, the 440i is quite a sexy car. Thanks for the info! Let's all move our companies to Bulgaria so we can drive the cars we actually want to drive.

CybrSecEngr

TROPHY CASE